Source: pam X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security
Hi, The following vulnerability was published for pam. CVE-2024-10041[0]: | A vulnerability was found in PAM. The secret information is stored | in memory, where the attacker can trigger the victim program to | execute by sending characters to its standard input (stdin). As this | occurs, the attacker can train the branch predictor to execute an | ROP chain speculatively. This flaw could result in leaked passwords, | such as those found in /etc/shadow while performing authentications. This appeared via Red Hat bugzilla and the currently only public reference is https://bugzilla.redhat.com/show_bug.cgi?id=2319212 To me it sounds rather like hardening than an actual security vulnerability, but it's hard to tell with the information available so far. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-10041 https://www.cve.org/CVERecord?id=CVE-2024-10041 Please adjust the affected versions in the BTS as needed.
